Energy, NNSA disagree over security practices
- By Patience Wait
- Aug 24, 2006
Carl Staton, the Energy Department's incoming deputy CIO, says his experiences with the National Oceanic and Atmospheric Administration's semi-autonomous agencies would serve him well at DOE, where a similarly loose organizational structure is in place.
He may have to start with the relationship between DOE and the National Nuclear Security Administration.
DOE's inspector general's office has released two related reports scolding the department for security lapses at two of its premier labs, both of them part of NNSA, for failing to destroy data on obsolete or extra computer equipment, and for improperly disposing of hardware.
In August 2005, the Los Alamos National Laboratory auctioned off excess equipment, including an Apple Mac G4 computer. It was purchased by an employee of an Albuquerque TV station, which reported almost two weeks later that the computer still contained unclassified documents.
The department's IG office launched an investigation, as did the lab itself.
The IG's office found that Los Alamos had not followed its own or DOE's controls before selling off the computer'the lab failed to 'sanitize' the hard drive, and didn't remove it from the computer, before selling the equipment off.
Meanwhile, an inquiry at the Sandia National Laboratory revealed that hard drives containing classified information were not being destroyed properly.
'[O]ur inspection confirmed that although classified hard drives were degaussed, they were not destroyed as required by department policy,' the Sandia report concluded. Degaussing is the process of using magnets to wipe data off electronic media, such as hard drives.
The inspection at Sandia also revealed that employees did not maintain an audit trail for classified removable electronic media, did not make sure the hard drives were destroyed the same day they were removed from the lab, did not obtain DOE approval before using an off-site destruction facility, and did not make sure the destruction was carried out by a person with appropriate clearance levels. All of these are policy requirements within DOE.
'Under current [DOE] cybersecurity policy, degaussing is not an approved method of destruction for media,' the IG report stated.
Tom Pyke, DOE's chief information officer, concurred with the findings of the report, but the National Nuclear Security Administration's associate administrator for management and administration disagreed.
Michael Kane, NNSA's associate administrator, said that once hard drives have been degaussed, 'they are no longer classified and [are] released from accountability,' the IG report states. 'Although the associate administrator did not state whether or not he concurred with our recommendations, his specific comments made it clear that he did not believe that any further action was warranted.'